This action configures authentication to a GKE cluster via a kubeconfig file that can be used with kubectl or other methods of interacting with the cluster.

Authentication is performed by generating a short-lived token (default behaviour) or via the GCP auth plugin present in kubectl which uses the service account keyfile path in GOOGLE_APPLICATION_CREDENTIALS.

This action requires:

• Google Cloud credentials that are authorized to view a GKE cluster. See the Authorization section below for more information.

• Create a GKE cluster

steps:
- id: get-credentials
  uses: google-github-actions/get-gke-credentials@main
  with:
    cluster_name: my-cluster
    location: us-central1-a
    credentials: ${{ secrets.gcp_credentials }}

# The KUBECONFIG env var is automatically exported and picked up by kubectl.
- id: get-pods
  run: kubectl get pods

• cluster_name: (Required) Name of the cluster to get credentials for.

• location: (Required) Location (Region/Zone) for the cluster.

• credentials: (Optional) Service account key to use for authentication. This should be the JSON formatted private key which can be exported from the Cloud Console. The value can be raw or base64-encoded. Required if not using a the setup-gcloud action with exported credentials.

• project_id: (Optional) Project ID where the cluster is deployed. If provided, this will override the project configured by gcloud.

• use_auth_provider: (Optional) Flag to use GCP auth plugin in kubectl instead of a short lived token. Defaults to false.

• use_internal_ip: (Optional) Flag to use the internal IP address of the cluster endpoint with private clusters. Defaults to false.

• Exports env var KUBECONFIG which is set to the generated kubeconfig file path.

There are a few ways to authenticate this action. A service account will be needed with at least the following roles:

• Kubernetes Engine Cluster Viewer (roles/container.clusterViewer):
  • Get and list access to GKE Clusters. `

You can provide Google Cloud Service Account JSON directly to the action by specifying the credentials input. First, create a GitHub Secret that contains the JSON content, then import it into the action:

- id: get-credentials
  uses: google-github-actions/get-gke-credentials@main
  with:
    cluster_name: my-cluster
    location: us-central1-a
    credentials: ${{ secrets.gcp_credentials }}

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

- id: get-credentials
  uses: google-github-actions/get-gke-credentials@main
  with:
    cluster_name: my-cluster
    location: us-central1-a

The action will automatically detect and use the Application Default Credentials.